Stop suspicious login activity alerts

As an administrator, you can use email alerts to notify you if there’s suspicious sign-in activity for one of your users. For example, we might notice a sign-in attempt that doesn’t match a user’s normal behavior. In most cases, before we send you an alert, we present the user with an extra security question or challenge. If the user fails or abandons the challenge, we send you the alert. The alert warns you that someone has the suspended user's password. For more information, see Administrator email alerts.

Examples of suspicious logins

A user doesn't follow their usual sign-in pattern, such as a signing in from an unusual location.

There was a successful login from a suspended user's account.

Note: You might also get an alert if a suspicious event occurs when a user is using Mail Fetcher to import mail from another Gmail account, because the messages are being fetched through our servers.

Investigate suspicious sign-in activity

Ask the user with the suspicious login if they remember signing in. They can check their last account activity if they're unsure.